Common Security Threats in the Retail Industry

The retail industry is one of the most lucrative targets for cybercriminals due to the vast amount of sensitive customer and financial data collected and stored. The use of a mix of technologies to support both the brick-and-mortar Point of Sale systems in-store and cloud-based systems for e-commerce further widens the attack surface. Retailers need to be aware of the ever-evolving threat landscape to best mitigate potential risks. 

Retail has emerged as the third most attacked industry in Canada. - IBM

Canadian retailers face a variety of threats that can impact their operations, the security of their clients’ data and result in financial losses, reputational damage, and litigation. Some of the most common types of security threats retailers may encounter include: 

Point of Sale (POS) Attacks: Hackers can deploy malware by infiltrating POS systems to steal payment card information. Once captured, they can remotely connect to the device to intercept the card information. 
 
Phishing: One of the most common types of social engineering in which hackers attempt to trick employees into providing sensitive information through fake websites or emails that mimic legitimate communications. Recent years have seen the rise of different types of phishing. One example being QR code scams; a tactic hackers use to send customers to fraudulent payment sites or embed malware. 
 
Vishing: Another type of phishing attack prevalent in the hospitality and retail industry is vishing. Like phishing the motive is the same, but the technique involves phone calls or leaving voice messages to trick individuals into revealing personal information. It is often frontline staff that answer the phone and respond to a matter that they hear is urgent and needs to be resolved immediately. This is particularly challenging in industries where there is relatively high level of staff turnover and shared devices. 
 
In September 2023, hotel and entertainment giant MGM Resorts experienced a devasting cyberattack costing more than $100 million. A phone call from bad actors impersonating a support agent, resulted in direct access to a server system causing system outages, operational disruption, a data breach, and more.  
 
Ransomware: Threat actors actively exploit vulnerabilities in retailer networks to install ransomware, allowing them to encrypt systems and bring transactions to a standstill, until the retailer pays a ransom. 

In February 2022, retail giant Indigo lost $50 million in a ransomware attack that halted in-store debit/credit card transactions for several days, wiped out online sales for almost a month and shut down its e-commerce platforms for four weeks. Other operational limitations impacted their ability to fulfil orders for products. The results were devasting, even for an established retail giant to navigate. 

Supply Chain Attacks: Cybercriminals attack third-party supplier systems which can affect the retailer’s security, especially if there are interconnected systems.  
 
Mitigating the Risks  
 
While the cloud has offered the retail and hospitality industry numerous benefits, it’s also introduced new risks. The best defense is a multi-layered one that includes a holistic combination of technology, policies, and employee training. Here’s a list of the most important ways retailers can secure their businesses: 
 
Multi-Factor Authentication (MFA): Retailers can reduce the risk of phishing attacks by implementing authentication. This is at bare minimum must, unfortunately not many POS systems have implemented MFA. 
 
Conditional Access: Conditional access policies are rules and regulations that dictate how and when users can access specific resources or systems.  
 
Network Segmentation: Involves the isolation (segmentation) of the cardholder data environment from the remainder of an entity’s network. 
 
Payment Card Industry Data Security Standards (PCI DSS): Retailers must adhere to PCI DSS, a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. 
 
Security Awareness Training: Conduct regular Security Awareness Training that educates employees on how to identify and respond to potential threats. Consider a program that includes phishing simulation and detailed reporting so you can see who’s struggling and who’s leading the charge with security at your business. 
 
Incident Response Plan: It’s no longer a question of whether an adversary will get in, it’s a question of when. Successfully responding to a breach is all about speed and limiting the window of access and damage to your environment. Develop and regularly update an incident response plan to guide actions in the event of a security breach. 
 
Establish IT Governance and NIST/CIS Frameworks: IT governance helps businesses better manage its risks and align IT with its business objectives. This is crucial to demonstrating results against business strategies and goals and complying with increasingly stringent data privacy and compliance regulations. A vCIO can help your business navigate Governance, Risk and Compliance.
 
Managed Security Services: Managed Service Providers can add a technical layer of security to your retail or hospitality business gaining real-time visibility into your network with advanced tools, next generation antivirus, Extended Detection and Response (EDR), ransomware detection, and more. 

By combining these measures, retailers can create a comprehensive, multi-layered security strategy to mitigate potential risks and protect the integrity of their operations. Regularly updating security protocols and staying informed about emerging threats are also crucial components of a robust security posture. Interested in learning more about how we can help? Reach out to us.